Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Who is sending to my heavy forwarder?

w199284
Explorer
‎07-19-2019 09:37 AM

I'm getting a lot of parsing errors on my heavy forwarders ...Failed in pcre_exec: Error PCRE_ERROR_MATCHLIMIT... but I don't know how to tell where the event is coming from (what host) that is getting the error. My HWFs are very busy and have many source devices sending events. If I knew how to associate this error with an incoming event, I think I could figure this out. Tcpdump might work but the environment is too noisy to make sense of the data. Has anyone had any experience tracking down a host?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-20-2019 05:20 AM

Review the transforms.conf files on the HF for regular expressions that use wildcards. One of the expressions is matching more than the HF can handle.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Vijeta
Influencer
‎07-19-2019 11:45 AM

@w199284 Did you check in _internal index ,make sure your role has access to internal index. The host field should give you the information.

index=_internal sourcetype=splunkd  PCRE_ERROR_MATCHLIMIT*
0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...